.comment-link {margin-left:.6em;}
Xavier's Security Post
Tuesday, December 06, 2005
  .php.any file extention PHP execution
on Sun, 04 Dec 2005 22:32:49 -0600, Ron disclosed a possible vulnerability pertaining to Apache+PHP. the scenerio goes as follows:

an attacker is able to upload the file:
example.php.rar (or as it seems, many many many other extensions)

possibly bypassing filters which strip out or rejects files with a .php extension.

the next step, is simply visiting the file you uploaded, and if it contained php code it most likely will get executed.

now, the condition is if the extension, in my example ".rar", is not configured in Apache with a proper mime type, then it seems to be executed under the php engine.

so far replies have pointed out the following affected versions:
Apache 1.3.33
Apache 2.0.54

I've personally verified that the issue works on:
Apache/1.3.33 with PHP 4.4.0 (cli) (built: Oct 22 2005 02:27:37)

I plan on doing my research a bit later on in the morning.. to be continued!
Comments: Post a Comment

Links to this post:

Create a Link

<< Home
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /